Re: sepgsql logging - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: sepgsql logging
Date
Msg-id 24b9c56a21860955933afc0bfd11106e5b292b37.camel@vmware.com
Whole thread Raw
In response to Re: sepgsql logging  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: sepgsql logging
List pgsql-hackers
On Wed, Apr 14, 2021 at 8:42 AM Dave Page <dpage@pgadmin.org> wrote:
> Attached is a patch to clean this up. It will log denials as such
> regardless of whether or not either selinux or sepgsql is in
> permissive mode. When either is in permissive mode, it'll add "
> permissive=1" to the end of the log messages. e.g.

Dave,

Just to clarify -- it looks like this patch *only* adds the
"permissive=1" part, right? I don't see any changes around denied-vs-
allowed.

I read the previous posts to mean that you were seeing "allowed" when
you should have been seeing "denied". I don't see that behavior --
without this patch, I see the correct "denied" entries even when
running in permissive mode. (It's been a while since the patch was
posted, so I checked to make sure there hadn't been any relevant
changes in the meantime, and none jumped out at me.)

That said, the patch looks good as-is and seems to be working for me on
a Rocky 8 VM. (You weren't kidding about the setup difficulty.) Having
permissive mode show up in the logs seems very useful.

As an aside, I don't see the "allowed" verbiage that sepgsql uses in
any of the SELinux documentation. I do see third-party references to
"granted", though, as in e.g.

    avc: granted { execute } for ...

That's not something that I think this patch should touch, but it
seemed tangentially relevant for future convergence work.

On Wed, 2021-04-14 at 09:49 -0400, Robert Haas wrote:
> Looks superficially reasonable on first glance, but I think we should
> try to get an opinion from someone who knows more about SELinux.

I am not that someone, but this looks straightforward, it's been
stalled for a while, and I think it should probably go in.

--Jacob

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Use -fvisibility=hidden for shared libraries
Next
From: "Bossart, Nathan"
Date:
Subject: Re: Throttling WAL inserts when the standby falls behind more than the configured replica_lag_in_bytes